b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                          Some Contractor Personnel\n                       Without Background Investigations\n                         Had Access to Taxpayer Data\n                        and Other Sensitive Information\n\n\n\n                                           July 7, 2014\n\n                             Reference Number: 2014-10-037\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\n\n\nPhone Number / 202-622-6500\nE-mail Address / TIGTACommunications@tigta.treas.gov\nWebsite        / http://www.treasury.gov/tigta\n\x0c                                                  HIGHLIGHTS\n\n\nSOME CONTRACTOR PERSONNEL                            however, some contractor personnel did not\nWITHOUT BACKGROUND                                   have interim access approval or final\nINVESTIGATIONS HAD ACCESS TO                         background investigations before they began\nTAXPAYER DATA AND OTHER                              working on the contracts.\nSENSITIVE INFORMATION                                Further, TIGTA identified 20 contracts for which\n                                                     either some or all contractor personnel did not\n                                                     sign nondisclosure agreements. In June 2013,\nHighlights                                           after the period covered by our audit, the IRS\n                                                     issued more explicit guidance requiring the\nFinal Report issued on July 7, 2014                  execution of nondisclosure agreements.\n\nHighlights of Reference Number: 2014-10-037          WHAT TIGTA RECOMMENDED\nto the Internal Revenue Service Deputy               TIGTA recommended that the Deputy\nCommissioner for Operations Support.                 Commissioner for Operations Support should\n                                                     ensure that the types of service contracts\nIMPACT ON TAXPAYERS\n                                                     identified in this review have the appropriate\nIRS policy requires contractor personnel to have     security provisions included in the contract and\na background investigation if they will have or      that associated contractor personnel have an\nrequire access to Sensitive But Unclassified         appropriate interim access approval or final\n(SBU) information, including taxpayer                background investigation prior to beginning work\ninformation. Allowing contractor personnel           on the contract. In addition, the IRS should use\naccess to taxpayer and other SBU information         the results of our contract reviews to train\nwithout the appropriate background investigation     program office and procurement office staff on\nexposes taxpayers to increased risk of fraud and     contractor security requirements and the\nidentity theft.                                      necessity for contractor personnel to sign\n                                                     nondisclosure agreements prior to working on a\nWHY TIGTA DID THE AUDIT                              contract. Finally, TIGTA recommended that the\nThe overall objective of this review was to          Office of Chief Counsel (Chief Counsel) work\ndetermine the effectiveness of IRS controls to       with the Department of the Treasury Security\nensure that background investigations were           Office to review the waiver currently in place that\nconducted for contractor personnel who had           exempts expert witnesses from background\naccess to SBU information.                           investigations and determine if the waiver is still\n                                                     appropriate in the current security environment.\nWHAT TIGTA FOUND\n                                                     The IRS agreed with four of the five\nTaxpayer and other SBU information may be at         recommendations. The IRS disagreed with our\nrisk due to a lack of background investigation       recommendation that the Chief Counsel should\nrequirements in five contracts for courier,          work with the Department of the Treasury\nprinting, document recovery, and sign language       Security Office to review the background\ninterpreter services. For example, in one            investigation waiver issued in August 2005 to\nprinting services contract, the IRS provided the     determine if the waiver is still appropriate.\ncontractor a compact disk containing 1.4 million     TIGTA believes that waiving the requirement for\ntaxpayer names, addresses, and Social Security       a background investigation presents a security\nNumbers; however, none of the contractor             risk.\npersonnel who worked on this contract were\nsubject to a background investigation.\nIn addition, TIGTA found 12 contracts for which\nIRS program and procurement office staff\ncorrectly determined that contractor personnel\nrequired background investigations because\nthey would have access to SBU information;\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             July 7, 2014\n\n\n MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Some Contractor Personnel Without Background\n                             Investigations Had Access to Taxpayer Data and Other Sensitive\n                             Information (Audit # 201310028)\n\n This report presents the results of our review to determine the effectiveness of Internal Revenue\n Service (IRS) controls to ensure that background investigations were conducted for contractor\n personnel who had access to SBU information. This review is included in our Fiscal Year 2014\n Annual Audit Plan and addresses the major management challenge of Security for Taxpayer\n Data and IRS Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Gregory D. Kutz, Assistant\n Inspector General for Audit (Management Services and Exempt Organizations).\n\x0c                                       Some Contractor Personnel Without\n                                      Background Investigations Had Access\n                                 to Taxpayer Data and Other Sensitive Information\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 6\n          Contracts That Required Security Provisions for Background\n          Investigations Were Not Always Identified .................................................. Page 6\n                    Recommendation 1:........................................................ Page 8\n\n                    Recommendation 2:........................................................ Page 9\n\n          Some Contractor Personnel Did Not Have Timely Background\n          Investigations When Required by the Contract ............................................ Page 9\n          Nondisclosure Agreements Were Not Always Obtained.............................. Page 11\n                    Recommendation 3:........................................................ Page 12\n\n          Other Internal Control Matters Identified ..................................................... Page 12\n                    Recommendation 4:........................................................ Page 13\n\n                    Recommendation 5:........................................................ Page 14\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 20\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 21\n\x0c              Some Contractor Personnel Without\n             Background Investigations Had Access\n        to Taxpayer Data and Other Sensitive Information\n\n\n\n\n                 Abbreviations\n\nCO         Contracting Officer\nCOR        Contracting Officer\xe2\x80\x99s Representative\nIRS        Internal Revenue Service\nNDA        Nondisclosure Agreement\nSBU        Sensitive But Unclassified\nTIGTA      Treasury Inspector General for Tax Administration\n\x0c                                  Some Contractor Personnel Without\n                                 Background Investigations Had Access\n                            to Taxpayer Data and Other Sensitive Information\n\n\n\n\n                                            Background\n\nIn Calendar Year 2013, a number of high-profile events that took place put Federal contractors\nand contractor personnel in the spotlight. For example, a Federal contractor with a top secret\nclearance leaked classified information to the media, and one of the largest private firms that\nspecializes in conducting investigations for the Federal Government is under investigation for\ntaking short cuts in its information gathering process. Like other Federal agencies, the Internal\nRevenue Service (IRS) relies on contractor personnel to accomplish a broad range of\nmission-critical functions that often requires extensive access1 to sensitive information and IRS\nfacilities. As of January 2014, there were approximately 14,000 contractor personnel with\n\xe2\x80\x9cstaff-like\xe2\x80\x9d (unescorted) access working on active contracts, of which approximately 10,000 had\ndocumented access to IRS facilities, systems, or Sensitive But Unclassified (SBU) information.\nSBU is any information under the IRS\xe2\x80\x99s authority that the loss, misuse, unauthorized access, or\nmodification of could adversely affect the national interest, the conduct of IRS programs, or the\nprivacy to which individuals are entitled under law.2 The IRS categorizes SBU information in\none or more of the following groups:\n    \xef\x82\xb7   Tax Returns and Return Information.\n    \xef\x82\xb7   Sensitive Law Enforcement Information.\n    \xef\x82\xb7   Employee Information.\n    \xef\x82\xb7   Personally Identifiable Information.\n    \xef\x82\xb7   Other Protected Information.\nAccording to the IRS, SBU information must be treated as confidential and shall not be divulged\nor made known in any manner to any person except as may be necessary and allowed in the\nperformance of a contract. Unauthorized disclosure of SBU information by contractor personnel\nthrough negligence or misconduct can have a significant effect on the IRS\xe2\x80\x99s ability to perform its\nprimary functions, potentially resulting in financial loss, damaged reputation, and loss of public\ntrust.\nIRS policy requires contractor personnel to attain favorable background investigations if their\nduration of employment exceeds 180 calendar days and they require unescorted (staff-like)\n\n\n1\n  Access is the ability and opportunity to obtain knowledge of information. An individual is considered to have\naccess to information if he or she is admitted to an area where such information is kept or handled and security\nmeasures do not prevent that individual from gaining knowledge of such information.\n2\n  The Privacy Act of 1974, 5 U.S.C. Section 552a) regulates the Federal Government\xe2\x80\x99s use of personal information.\n                                                                                                          Page 1\n\x0c                                   Some Contractor Personnel Without\n                                  Background Investigations Had Access\n                             to Taxpayer Data and Other Sensitive Information\n\n\n\naccess to IRS facilities or work on contracts that involve the design, operation, repair, or\nmaintenance of information systems, and/or require access to SBU information. Contractor\npersonnel who require a background investigation are assigned a position risk level that\ndetermines the extent of the background investigation to be conducted. Contractor personnel are\nsubject to three preliminary eligibility criteria (tax compliance, citizenship, and Selective Service\nregistration). Interim staff-like access approval may be granted while a full background\ninvestigation is completed by the Office of Personnel Management. If the duration of\nemployment is less than 180 days or access is infrequent, i.e., two to three days per month, and\nthe contractor staff member requires unescorted access, the contractor staff member must meet\nthese preliminary eligibility criteria and must also have a favorable fingerprint check, a credit\ncheck (if applicable), and no other disqualifying suitability issues.\nThe procurement process begins when a requestor (usually a program office manager) in an IRS\nbusiness unit determines that a requirement for goods or services exists. After a business unit\ndetermines these requirements, a requisition is created within the IRS Integrated Procurement\nSystem.3 The requestor must complete some basic information about the requirement in the\nrequisition screen in the Integrated Procurement System. In addition, there are a number of\nscreening questions used to identify whether the contracting action requires disclosure of SBU\ninformation to a contractor, access to IRS information systems, or access to a facility owned,\ncontrolled, or occupied by the IRS. The requestor must also determine the possible disclosure\nand Privacy Act requirements. The combination of responses to these questions determines\nwhich special clauses are evoked and identified to the contracting officer (CO) for use in the\nsolicitation and contract.4 The COs are responsible for reviewing proposed solicitations to\ndetermine whether access to classified information (or SBU information) may be required by\nofferors or by a contractor during contract performance, and the CO should include appropriate\nsecurity clauses in both the solicitation and the contract.5\nDuring the award phase, the COs must inform contractors and subcontractors of the security\nclassifications and requirements assigned to the various documents, materials, tasks,\nsubcontracts, and components of the contract. Contracting officer\xe2\x80\x99s representatives (COR) are\nresponsible for designating and documenting the risk level of each position in the contract.6\n\n\n3\n  This system allows IRS personnel to prepare, approve, fund, and track requests for the delivery of goods and\nservices.\n4\n  The CO is an IRS employee who is responsible for ensuring performance of all necessary actions relating to the\ncontract, including ensuring that contractors are complying with contract terms and conditions.\n5\n  Federal Acquisition Regulation, 48 C.F.R. 4.404.\n6\n  The COR is a qualified IRS employee appointed by the CO to act as his or her technical representative in\nmanaging all of the technical aspects of a particular contract. The COR must have knowledge of the laws, rules,\npolicies, and procedures that pertain to security safeguards, e.g., privacy, disclosure. Contractor security\nrepresentatives and the CORs work with appropriate business unit officials to identify access needs and preliminary\nassessments on position risk designations. However, the Human Capital Office, Personnel Security, is the final\nauthority and will review and update the risk level as needed.\n                                                                                                            Page 2\n\x0c                                   Some Contractor Personnel Without\n                                  Background Investigations Had Access\n                             to Taxpayer Data and Other Sensitive Information\n\n\n\nAgencies are authorized to issue regulations that implement or supplement the Federal\nAcquisition Regulation and incorporate agency policies, procedures, contract clauses, solicitation\nprovisions, and forms that govern the contracting process or otherwise control the relationship\nbetween the agency and contractors or prospective contractors. The Department of the Treasury\nSecurity Manual defines the security investigative process to determine whether contract\nemployees should have unescorted access to and in IRS facilities, or access to SBU information\nor information systems.\nResponsibility for background investigations and providing access to IRS facilities, systems, and\nSBU information is assigned to various functions within the IRS including: the Office of\nProcurement; the Contractor Security Management Office (within the Incident and Contract\nManagement Division, Physical Security and Emergency Preparedness); and the Personnel\nSecurity Office within the Human Capital Office, Employment, Talent, and Security Division.\nThe Contractor Security Management Office is responsible for sending all contractor background\ninvestigation requests to the Personnel Security Office and coordinates submissions and actions\nwith the contractor and contractor security representative, as appropriate. The responsible COR\nand Personnel Security Office staff review the work to be performed under the contract and use\nthe Office of Personnel Management Position Designation Automated Tool to assign risk\ndesignations (low, moderate, or high) to positions of the contractors working on the contract in\naccordance with the related criteria. The position risk levels are based upon potential damage to\nthe efficiency of the IRS. Typically, all contracts that contain SBU information for tax\nadministration purposes shall be protected at the moderate-risk level.\nIn addition, IRS solicitations and contracts must include a clause that requires position risk\ndesignations for contractor personnel background investigation or screening as required for\naccess to IRS facilities, information systems, security items and products, and/or SBU\ninformation. The clause requires the successful contractor\xe2\x80\x99s personnel to execute appropriate\nsecurity forms prescribed by the IRS Personnel Security Office prior to contract work being\nperformed and in advance of being granted access to IRS facilities, information systems, and/or\nSBU information.7\nFinally, contractor personnel who require access or will be exposed to SBU information should\ncomplete a nondisclosure agreement (NDA). The purpose of NDAs is to make contractors aware\nof their responsibilities for maintaining confidentiality of taxpayer or SBU information and to\ndeter noncompliance by explaining consequences of unauthorized disclosure. Many agencies\nacross the Federal Government utilize NDAs as a best practice to protect sensitive information,\n\n7\n  Policy and Procedures Memorandum 39.1(I) requires the CO to include the IRS clause \xe2\x80\x9cIR1052.224-9008,\nSafeguards against Unauthorized Disclosure of Sensitive but Unclassified Information (JUN 2013)\xe2\x80\x9d in Section H or\nother appropriate sections in all solicitations and resulting contracts and orders having an expected value exceeding\nthe micro-purchase threshold ($3,000) if the contractor will have access to SBU information. IRS, Policy and\nProcedures Memorandum No. 39.1(I), Safeguards against Unauthorized Disclosure of Sensitive but Unclassified\nInformation (July 2013).\n                                                                                                              Page 3\n\x0c                                    Some Contractor Personnel Without\n                                   Background Investigations Had Access\n                              to Taxpayer Data and Other Sensitive Information\n\n\n\nand the Government Accountability Office has recommended that the Federal Acquisition\nRegulation be updated to require them. Prior to June 2013, IRS personnel security officers, in\nconsultation with information systems security officers, the COs, and the CORs, determined\nwhether an NDA was necessary. In June 2013, the IRS issued more explicit guidance indicating\nthat all contractor personnel who require access to SBU information shall sign an NDA. The\nNDAs are to reference the conditional nature of access to SBU information with respect to the\ncontract work or specialized project for which such access is required. The NDAs also require\ncontractor personnel to safeguard and to refrain from disclosing SBU information.8\nWe reviewed a total of 34 contracts\xe2\x80\x94five contracts identified by a prior audit or investigations9\nas having security concerns related to contractor personnel and a stratified random sample of\n29 contract awards selected to represent a cross-section of goods and services acquired by the\nIRS.10 We determined that 28 of the 34 contracts we reviewed required unescorted contractor\npersonnel access to SBU information. These 28 contracts were reviewed for compliance with\nthe applicable authorities.\nFor this review, we held discussions with and analyzed data obtained from the Agency-Wide\nShared Services Office of Procurement in Oxon Hill, Maryland; the Agency-Wide Shared\nServices Physical Security and Emergency Preparedness Branch in Washington, D.C.; IRS\nmailrooms at offices in Dallas and Houston, Texas, and Holtsville and New York City,\nNew York; and the Real Estate and Facilities Management office in Austin, Texas, during the\nperiod July 2013 through February 2014. The objective of this review was to determine the\neffectiveness of IRS controls to ensure that background investigations were conducted for\ncontractor personnel who had access to SBU information. As a result, we only examined\nselected portions of the on-boarding of contractor personnel stage of the selected procurements.\nFor example, we did not evaluate whether contractor personnel completed required security\ntraining before gaining access to IRS information technology systems or whether the background\ninvestigations themselves were thorough and complete.\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\n\n\n\n8\n  Penalties for disclosure of tax returns or return information are prescribed by I.R.C. \xc2\xa7\xc2\xa7 7213 and 7431 and set forth\nat 26 C.F.R. \xc2\xa7 301.61 03(n)\xe2\x80\x931.\n9\n  Treasury Inspector General for Tax Administration, Ref. No. 2011-10-098, The Internal Revenue Service\nAdequately Prepared for and Responded to the Austin Incident (Sept. 2011).\n10\n   Although our contract sample of 29 was randomly selected within the various strata we identified, we are not\nprojecting the results of our analysis to the entire population of contracts awarded during our audit period because\nthe sample size per strata was not large enough.\n                                                                                                               Page 4\n\x0c                              Some Contractor Personnel Without\n                             Background Investigations Had Access\n                        to Taxpayer Data and Other Sensitive Information\n\n\n\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                         Page 5\n\x0c                                   Some Contractor Personnel Without\n                                  Background Investigations Had Access\n                             to Taxpayer Data and Other Sensitive Information\n\n\n\n\n                                      Results of Review\n\nContracts That Required Security Provisions for Background\nInvestigations Were Not Always Identified\nTaxpayer and other sensitive information may be at risk due to a lack of background\ninvestigation requirements in contracts for courier, printing, document recovery, and sign\nlanguage interpreter services. IRS policy requires that contractor personnel who require or will\nhave access to SBU information undergo a background investigation.11 Of the 28 contracts we\nreviewed, we identified five contracts for which contractor personnel had access to SBU\ninformation, but contractor personnel had not undergone background investigations, contrary to\nIRS policy.12 Figure 1 provides the details on these five contracts.\n             Figure 1: Contracts That Permitted Access to SBU Information\n             but for Which Background Investigations Were Not Conducted\n\n     Contract\n     Service                                                    Details\nCourier            \xef\x82\xb7 Two contracts were awarded for the delivery of internal IRS documents and mail between\nServices             IRS facilities, post offices, and other locations. Based on physical observations, we\n                     determined that contractor personnel had access to taxpayer and other SBU information. For\n                     example, we observed transport of tax returns, tax court cases, a personnel file, and Personal\n                     Identity Verification badges.\n                   \xef\x82\xb7 For one of the two contracts, contracting personnel notified all contract bidders in the contract\n                     solicitation that contractor personnel should be able to pass a background investigation.\n                     However, neither final contract contained a requirement for contractor personnel to undergo a\n                     background investigation.\n                   \xef\x82\xb7 For one of these contracts, we found that a courier who performed the daily route previously\n                     served 21 years in prison for arson, retaliation, and attempted escape.\n\n\n11\n   IRM 10.23.2, Contractor Personnel Security, establishes guidelines and procedures for the conduct of security\ninvestigations on contractor personnel with access to facilities owned or controlled by the Department of the\nTreasury and contractor personnel who work on contracts that involve the design, operation, repair, or maintenance\nof information systems and/or require access to SBU information. All contractor staff members whose duration of\nemployment is expected to be less than 180 days are required to pass three eligibility checks (tax compliance,\ncitizenship, and Selective Service registration) and must have a favorably adjudicated fingerprint result.\n12\n   Program office or procurement office staff did not properly identify these contract actions as having access to\nSBU information; therefore, security provisions were not present in the contract. As a result, the contractor\npersonnel were not required to undergo the background investigation process or other preliminary suitability\nscreenings.\n                                                                                                              Page 6\n\x0c                                   Some Contractor Personnel Without\n                                  Background Investigations Had Access\n                             to Taxpayer Data and Other Sensitive Information\n\n\n\n     Contract\n     Service                                                   Details\nSign Language      \xef\x82\xb7 One contract was awarded for services to interpret for IRS deaf or hard of hearing managers,\nInterpreters         employees, visitors, and job applicants in a variety of settings and situations. We reviewed a\n                     list of specific services provided and identified a number of situations in which contractor\n                     personnel had access to SBU information, including interviews with potential interns and a\n                     meeting between an IRS supervisor and an employee regarding a conduct issue.\n                   \xef\x82\xb7 The contract stated that background investigations were required of contractor personnel who\n                     have access to SBU information. However, none of the contractor personnel underwent\n                     background investigations. When we asked why this was the case, the IRS stated that the\n                     original COR assigned to this contract has retired, and it was unable to explain why\n                     background investigations were not completed and the NDAs were not executed.\n                   \xef\x82\xb7 The new Treasury-wide sign language interpretation contract being used by the IRS did not\n                     require background investigations of any contractor personnel.13 The contract did include\n                     disclosure clauses and a blank template NDA; however, because this new contract was not\n                     part of our original audit scope, we did not determine whether the NDAs were executed after\n                     this contract was issued.\nPrinting           \xef\x82\xb7 One contract was awarded to print and mail IRS tax forms during which the IRS provided the\nServices             contractor a compact disk containing 1.4 million taxpayers\xe2\x80\x99 names, addresses, and Social\n                     Security Numbers. The IRS used a Government Printing Office contract to fulfill this\n                     requirement; however, the IRS had not provided the Government Printing Office with the\n                     appropriate security provisions for inclusion in the related solicitation and contract as\n                     required.\n                   \xef\x82\xb7 None of the contractor personnel who worked on this contract underwent a background\n                     investigation.\nDocument           \xef\x82\xb7 The IRS placed a task order14 against a General Services Administration contract with a\nRecovery             vendor for cleanup and recovery services of sensitive documents and employee personal\n                     effects damaged in the February 2010 attack in which a single-engine airplane was\n                     intentionally flown into an IRS office building in Austin, Texas (the Austin incident). Some\n                     of the documents salvaged contained SBU information, including taxpayer data. This\n                     contract, which was identified during a prior Treasury Inspector General for Tax\n                     Administration (TIGTA) audit,15 did not include a security assessment addressing whether or\n                     not background investigations were required.\n                   \xef\x82\xb7 None of the contractor personnel who worked on this contract underwent a background\n                     investigation.\nSource: TIGTA\xe2\x80\x99s review of IRS contract files.\n\n\n13\n   This contract was awarded in February 2014.\n14\n   A task order is a contract for services that does not specify a firm quantity of services (other than a minimum or\nmaximum quantity) and that provides for the issuance of orders for the performance of tasks during the period of the\ncontract.\n15\n   TIGTA, Ref. No. 2011-10-098, The Internal Revenue Service Adequately Prepared for and Responded to the\nAustin Incident (Sept. 2011).\n                                                                                                             Page 7\n\x0c                               Some Contractor Personnel Without\n                              Background Investigations Had Access\n                         to Taxpayer Data and Other Sensitive Information\n\n\n\nIn the case of the courier service, sign language interpretation, and printing contracts, IRS\nprogram office staff and procurement office staff did not properly identify that these contractor\npersonnel would have access to SBU information. Based on our review, we believe these staff\nlacked a clear understanding as to how the term \xe2\x80\x9caccess\xe2\x80\x9d is characterized relative to SBU\ninformation in IRS guidance. For example, for the courier service contract, even though\nindividuals left IRS facilities with possession of taxpayer and other sensitive data, IRS Office of\nProcurement officials advised us that the program office requesting the services did not consider\npossession/custody of envelopes and packages with this sensitive data to be \xe2\x80\x9caccess.\xe2\x80\x9d\nFurthermore, in July 2013, we informed the IRS that these courier contractors had access to\nSBU and taxpayer information but had not undergone background investigations. As of\nFebruary 2014, these contractors still had not undergone background investigations.\nIRS officials stated that the document recovery contract was awarded under expedited\ncircumstances due to the Austin incident. The IRS believed that the security provisions for\nofficially appointing a COR and executing the NDAs in the contract (due to access to taxpayer\ndata) were overlooked because of the emergency conditions that were present at the time of the\ncontract award. In addition, the IRS believes that the provision for background checks of the\ncontractor personnel was not included in the contract because they did not have the time to\nconduct the investigations due to the urgent nature of the contract. Further, the IRS believed that\nthe contractor\xe2\x80\x99s personnel may have had the required background checks because of prior\nreclamation work they had performed for other Federal Government agencies.\nAllowing contractor personnel access to and custody of sensitive information prior to the\nappropriate background screening process increases the risk to taxpayers and the IRS of misuse\nof taxpayer and other sensitive data and possible identity theft.\n\nRecommendations\nRecommendation 1: The Deputy Commissioner for Operations Support should establish\nclear policies and procedures to assure that the types of service contracts discussed in this report\nhave the appropriate security provisions included in the related solicitation and contract, and that\nassociated contractor personnel have appropriate interim access approval or final background\ninvestigation prior to beginning work on the contract.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. On behalf of\n       the Deputy Commissioner for Operations Support, the IRS Human Capital Officer will\n       clarify policies and procedures to enable the Office of Procurement and business units to\n       include the appropriate security provisions in solicitations and contracts for the types of\n       service contracts discussed in this report. The IRS Human Capital Officer will also\n       collaborate with the Chief, Agency-Wide Shared Services, to ensure that the CORs are\n       reminded that the associated contractor should receive, at a minimum, a favorably\n       adjudicated interim access determination prior to beginning work on the contract.\n\n                                                                                             Page 8\n\x0c                                   Some Contractor Personnel Without\n                                  Background Investigations Had Access\n                             to Taxpayer Data and Other Sensitive Information\n\n\n\nRecommendation 2: The Chief, Agency-Wide Shared Services, should evaluate and, if\nfeasible, implement enhanced security requirements policies and procedures for emergency\nprocurements.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The previous\n        TIGTA audit16 called attention to the need for enhancement of the Incident Management\n        Plan to reflect the required provisions that emergency procurement include compliance\n        with the Federal Acquisition Regulation and other applicable procurement procedures\n        and policies, including required security provision. The Chief, Agency-Wide Shared\n        Services, first updated the Incident Management Plan on July 3, 2012, and has provided\n        additional updates to ensure that this recommendation remains fully implemented. The\n        latest version of the Incident Management Plan is dated March 2013. The IRS will\n        evaluate and implement, if feasible, security requirements policies and procedures for\n        emergency procurements outside of the Incident Management Plan to ensure that all\n        Office of Procurement personnel understand the standards to be followed when\n        performing these functions during an emergency.\n\nSome Contractor Personnel Did Not Have Timely Background\nInvestigations When Required by the Contract\nImplementation of security controls over background investigations are not consistently applied\nby program or procurement office staff. Although some of the selected contracts contained\nclauses requiring the contractor personnel to undergo background investigations, the inclusion of\nsecurity requirements varied between contracts. We identified 13 of 28 contracts for which not\nall contractor personnel had timely interim access approval or final background investigations.\nFor 12 of the 28 contracts we reviewed (six of which had more than one compliance issue), IRS\nprogram and procurement office staff correctly determined that contractor personnel would be\nrequired to undergo background investigations. However, not all contractor personnel\nunderwent an interim access approval or final background investigation, or a background\ninvestigation specific to the contracts in our review, prior to beginning work on the contract.17\nFor one contract, IRS procurement office staff did not include a requirement for background\ninvestigations in the contract language even though program office staff indicated that\nbackground investigations should be required. In this case, background investigations were\nperformed after contractor personnel began work on the contract.\n\n16\n   TIGTA, Ref. No. 2011-10-098, The Internal Revenue Service Adequately Prepared for and Responded to the\nAustin Incident (Sept. 2011).\n17\n   We reviewed contract invoices and used the date that each contractor staff member began to charge time on the\ncontract as the date the contractor staff member began to work on the contract. We found that some of the contracts\ncontained invoices that lacked information regarding which specific days and/or which specific contractor staff\nmember performed work on the contract. In these cases, we assumed that work began on the first day of the invoice\nperiod.\n                                                                                                           Page 9\n\x0c                                     Some Contractor Personnel Without\n                                    Background Investigations Had Access\n                               to Taxpayer Data and Other Sensitive Information\n\n\n\nFor six of the contracts, 14 individuals had already received approved background investigations\ndue to their work on other IRS contracts. However, IRS policy requires that each contractor\nemployee undergo a revalidation process when they move to a new contract.18 For 11 contracts,\n35 individuals did not undergo an interim access approval or final background investigation prior\nto beginning work on a contract but eventually received favorable background investigation\nresults. For two contracts, we identified two individuals who never underwent a background\ninvestigation. See Figure 2 for a breakdown of the background investigations that were either\nmissing, not timely, or not for the correct contract.\n         Figure 2: Contractor Personnel Without Timely Interim Access Approval\n                           or Final Background Investigations\n                  Interim Access Approval or\n                       Final Background\n                 Investigation Completed After     Background Investigation Not         Background Investigation\n     Contract             Work Began             Completed for This Specific Contract       Not Performed\n         1                     7                                  \xef\x80\xb2                                \xef\x80\xb0\n         2                     3                                  \xef\x80\xb1\xef\x80\xa0                               \xef\x80\xb0\xef\x80\xa0\n         3                     \xef\x80\xb5                                  5\xef\x80\xa0                               \xef\x80\xb0\xef\x80\xa0\n         4                     \xef\x80\xb0                                  3\xef\x80\xa0                               \xef\x80\xb1\xef\x80\xa0\n         5                     1                                  \xef\x80\xb1\xef\x80\xa0                               \xef\x80\xb0\xef\x80\xa0\n         6                     4                                  \xef\x80\xb0\xef\x80\xa0                               \xef\x80\xb0\xef\x80\xa0\n         7                     1                                  \xef\x80\xb0\xef\x80\xa0                               \xef\x80\xb0\xef\x80\xa0\n         8                     3                                  \xef\x80\xb0\xef\x80\xa0                               \xef\x80\xb0\xef\x80\xa0\n         9                     0                                  \xef\x80\xb2                                \xef\x80\xb0\n        10                     2                                  \xef\x80\xb0\xef\x80\xa0                               \xef\x80\xb1\xef\x80\xa0\n        11                     1                                  0                                0\n\n        12                     \xef\x80\xb6\xef\x80\xa0                                 \xef\x80\xb0\xef\x80\xa0                               \xef\x80\xb0\xef\x80\xa0\n        13                     \xef\x80\xb2\xef\x80\xa0                                 \xef\x80\xb0\xef\x80\xa0                               \xef\x80\xb0\xef\x80\xa0\n\n       Total                  \xef\x80\xb3\xef\x80\xb5\xef\x80\xa0                                 \xef\x80\xb1\xef\x80\xb4\xef\x80\xa0                              \xef\x80\xb2\xef\x80\xa0\n Source: TIGTA\xe2\x80\x99s review of IRS contract files.\n\nThe IRS was unable to provide us with the reasons these policy exceptions occurred. Based on\ninformation we obtained from the CORs, we believe that additional training on when background\ninvestigations are required is needed. This is due to our observations of the inconsistent\nunderstanding and application of policies by the CORs related to background investigations.\n\n\n\n\n18\n     Internal Revenue Manual 10.23.2.12, Revalidation of Contractor Employee Access, (Nov. 15, 2011).\n                                                                                                         Page 10\n\x0c                                 Some Contractor Personnel Without\n                                Background Investigations Had Access\n                           to Taxpayer Data and Other Sensitive Information\n\n\n\nNondisclosure Agreements Were Not Always Obtained\nWe identified 28 contracts for which contractor personnel had access to SBU information;\nhowever, for 20 of these contracts, the IRS did not require all individuals with access to SBU\ninformation to sign an NDA, could not locate copies of all signed NDAs, or did not timely\nexecute the NDAs. During our audit period, IRS policy lacked specific detailed guidance on\nwhen the NDAs were required, except in the case of expert witness contracts for the Office of\nChief Counsel (Chief Counsel). According to IRS policy,19 these expert witness contracts\nrequired that each expert witness and employee of the expert witness sign an NDA before receipt\nof SBU information. We were provided a variety of reasons why the NDAs were not obtained\nfor all contractor personnel with access to SBU information. For three of the 20 contracts that\nwere for expert witness services for Chief Counsel, we were told that the individuals without the\nsigned NDA were not required to sign one because there was a general disclosure clause in the\ncontract or because a principle of the company had signed one; however, IRS policy explicitly\nrequired a signed NDA for these expert witness services. For the other 17 contracts, the NDAs\nwere not obtained for all individuals for a variety of reasons. For example, a contract for cleanup\nand recovery services of sensitive documents and employee personal effects damaged in the\nAustin incident did not include a requirement for contractor personnel to sign an NDA. While\ncontractor personnel did sign NDAs for grand jury materials, this does not address nondisclosure\nof taxpayer data nor does it address the penalties for disclosure of taxpayer data. In another\ninstance, a COR stated that the NDAs were not required because contractor personnel signed a\nblanket NDA as part of the background investigation process; however, this was not the case.\nThe purpose of the NDAs is to make contractors aware of their responsibilities for maintaining\nconfidentiality of taxpayer information and to deter noncompliance by explaining consequences\nrelated to violations. Without the execution of the NDAs, contractor personnel may not be\nadequately informed of their responsibilities to protect SBU information. In addition, without\nthese agreements, the IRS may be unable to hold contractors accountable for failure to properly\nuse and protect SBU information. Unauthorized disclosure of sensitive information by\ncontractor personnel potentially harms the privacy of individuals and erodes the public\xe2\x80\x99s trust in\nthe IRS. In June 2013, the IRS issued more explicit guidance indicating that all contractor\npersonnel who require or have access to SBU information shall complete, sign, and submit an\napproved NDA.20 Because the IRS has recently revised its policy regarding the NDAs, we are\nnot making a recommendation related to the need for a policy update at this time.\n\n\n\n\n19\n IRS, Policy and Procedures Memorandum 37.2, Expert Witness Procurements (Sept. 2012).\n20\n Policy and Procedures Memorandum 39.1(I), Safeguards Against Unauthorized Disclosure of Sensitive but\nUnclassified Information.\n                                                                                                    Page 11\n\x0c                                     Some Contractor Personnel Without\n                                    Background Investigations Had Access\n                               to Taxpayer Data and Other Sensitive Information\n\n\n\nRecommendation\nRecommendation 3: The Deputy Commissioner for Operations Support should use the\nresults of the contract cases identified in this report to provide program office and procurement\noffice staff with additional training on contractor security requirements, including obtaining\ntimely background investigations and the necessity for contractor personnel to sign the NDAs\nprior to contract work being performed.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. On behalf of\n           the Deputy Commissioner for Operations Support, the IRS Human Capital Officer will\n           update program guidance and training for program office and procurement office staff to\n           address the issues in this report.\n\nOther Internal Control Matters Identified\n\nLack of requirements for invoice detail resulted in limited information on\ncontractor personnel\nWe found that seven of the 28 contracts we reviewed contained invoices that lacked information\nregarding which specific contractor personnel performed work on the contract. These invoices\ncontained contractor personnel positions such as \xe2\x80\x9cManager\xe2\x80\x9d and \xe2\x80\x9cConsultant\xe2\x80\x9d but did not include\nspecific contractor staff member names. Internal control standards require agencies to establish\ncontrols that reasonably ensure, among other things, that funds, property, and other assets are\nsafeguarded against waste, loss, or unauthorized use.21 Internal controls also serve as the first\nline of defense in safeguarding assets and preventing and detecting errors and fraud. We found\nthat these contracts did not include requirements to ensure that contractors provide a sufficient\nlevel of detail in their invoices to allow responsible CORs to review key elements. Not only\ndoes this make it difficult for the IRS to verify whether amounts billed correspond to contractor\npersonnel who actually worked on a contract, but it presents a security risk.\nFor example, one contract contained language indicating that all contractor personnel were to\nundergo a background investigation. However, when we reviewed the contractor invoices, we\ncould not confirm which specific contractor personnel were working on the contract because the\ninvoice contained only position descriptions. In this case, we had to rely on anecdotal\ninformation provided by the COR regarding which contractor personnel were the \xe2\x80\x9cManager\xe2\x80\x9d and\n\xe2\x80\x9cConsultant\xe2\x80\x9d in order to confirm that they obtained the requisite background investigations\nbefore billing time to the contract. While these invoices met the general criteria established for a\nproper invoice set forth in IRS policy,22 we believe that invoices which do not contain specific\ncontractor staff member names (in conjunction with contract position titles) do not provide\n\n21\n     Pub. L. No. 104-208, 110 Stat. 3009, Federal Financial Management Improvement Act of 1986.\n22\n     Internal Revenue Manual, 1.35.3, Administrative Accounting, Receipt and Acceptance Guideline, (June 07, 2013).\n                                                                                                          Page 12\n\x0c                                    Some Contractor Personnel Without\n                                   Background Investigations Had Access\n                              to Taxpayer Data and Other Sensitive Information\n\n\n\nsufficient information for proper receipt and acceptance and also present risks from a personnel\nsecurity perspective because the IRS does not know specifically who performed the work for the\ncontracted services.\n\nRecommendation\nRecommendation 4: The Chief, Agency-Wide Shared Services, should consider\nimplementing policy to ensure that contracts include requirements for contractors to provide a\nlevel of detail in their invoices to allow responsible CORs to sufficiently review key elements\n(specifically, contractor personnel names) for proper receipt and acceptance. For contracts with\nsecurity requirements, invoice oversight reviews should be performed to ensure that contractor\npersonnel billing labor hours to these contracts have received the appropriate background\ninvestigation.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Chief,\n           Agency-Wide Shared Services, will consider implementing policy to ensure that\n           solicitations, where contractors bill on an hourly basis, include appropriate language to\n           require contractors to provide a level of detail in their invoices to allow the CORs to\n           sufficiently review key elements (specifically, contractor personnel names) for proper\n           receipt and acceptance. For contracts with security requirements, the Chief,\n           Agency-Wide Shared Services, will review oversight procedures to ensure that contractor\n           personnel billing labor hours to these contracts have received the appropriate background\n           investigation.\n\nSome contracts did not require background investigations\nWe determined that six of the 28 contracts we reviewed did not require any contractor personnel\nto undergo background investigations because these personnel were covered by a waiver granted\nin August 2005 to Chief Counsel.23 This waiver specifically covers all Chief Counsel contracts\nfor expert witness services. The waiver was granted, in part, because Chief Counsel stated that it\nconducts a comprehensive review of the proposed expert\xe2\x80\x99s qualifications prior to awarding a\ncontract for expert witness services. However, Chief Counsel does not perform the same type of\ninvestigative screening that is performed when contractor personnel undergo background\ninvestigations, such as criminal history checks. We did not review the thoroughness or\ncompleteness of Chief Counsel\xe2\x80\x99s review of the experts\xe2\x80\x99 qualifications. However, we believe this\npractice may present a security risk since a background investigation is not conducted. In\naddition, the IRS provides taxpayer and other SBU information to expert witnesses and gives\nthem the option of destroying or returning it to the IRS at the completion of their assignment.\n\n\n\n23\n     IRS, Policy and Procedures Memorandum 37.2, Expert Witness Procurements (Sept. 2012).\n                                                                                             Page 13\n\x0c                               Some Contractor Personnel Without\n                              Background Investigations Had Access\n                         to Taxpayer Data and Other Sensitive Information\n\n\n\nRecommendation\nRecommendation 5: The Chief Counsel should work with the Department of the Treasury\nSecurity Office to review the waiver currently in place that exempts expert witnesses from\nbackground investigations and determine if the waiver is still appropriate in the current security\nenvironment.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation.\n       Specifically, the Chief Counsel has reviewed this recommendation and has determined it\n       is not necessary to revisit a waiver issued by the Department of the Treasury Security\n       Office as Chief Counsel believes its current review of employee qualifications is\n       sufficient to address any related security risks.\n       Office of Audit Comment: TIGTA believes that waiving the requirement for a\n       background investigation presents a security risk. Given the length of time the current\n       waiver has been in place (since August 2005), the IRS should request a review of the\n       waiver by the Department of Treasury Security Office to determine whether it is still\n       appropriate in the current security environment.\n\n\n\n\n                                                                                           Page 14\n\x0c                              Some Contractor Personnel Without\n                             Background Investigations Had Access\n                        to Taxpayer Data and Other Sensitive Information\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine the effectiveness of IRS controls to ensure\nthat background investigations were conducted for contractor personnel who had access to SBU\ninformation. To accomplish this objective, we:\nI.     Assessed the adequacy of the internal control environment and agency compliance with\n       established Federal regulations and agency policies for the IRS contractor personnel\n       background investigation program.\n       A. Obtained and reviewed current Department of the Treasury and IRS policies and\n          procedures, Department of Homeland Security directives, and other pertinent written\n          policies and procedures for:\n           1. Identifying solicitations and contracts which must contain security provisions and\n              clauses when access to IRS facilities or systems and/or SBU information is\n              required.\n           2. Designating and documenting the risk level of each position within a contract.\n       B. Interviewed key IRS personnel from the Office of Procurement; the Contractor\n          Security Management Branch, Incident and Contract Management Division, Physical\n          Security and Emergency Preparedness Branch; Personnel Security Office, Human\n          Capital Office; and business unit program managers to identify and document their\n          roles and responsibilities in the contractor personnel background investigation\n          program and the procedures and practices utilized in executing those responsibilities.\nII.    Determined whether the IRS adequately identified during the planning, solicitation, and\n       award phases those contract actions which must contain security provisions and clauses\n       when access to IRS facilities or systems and SBU information is required and the related\n       contractor positions requiring background investigations.\n       A. Selected a sample of contracts from a list of all IRS active contracts as of\n          May 31, 2013, (for services potentially requiring contractor access to sensitive\n          information either within IRS offices or within IRS information systems) to\n          determine whether the appropriate security provisions and clauses were included as\n          required by IRS policy. We used risk-based criteria to eliminate contracts from\n          further review. We identified IRS contracts awarded between October 1, 2010, and\n          May 31, 2013, for amounts greater than $25,000 for goods or services that we\n          determined might require access to IRS facilities, systems, or SBU information. We\n          further limited our population to include only those contracts which were identified as\n                                                                                          Page 15\n\x0c                                   Some Contractor Personnel Without\n                                  Background Investigations Had Access\n                             to Taxpayer Data and Other Sensitive Information\n\n\n\n             \xe2\x80\x9clabor hour\xe2\x80\x9d or \xe2\x80\x9ctime and material\xe2\x80\x9d contracts because these contracts would require\n             labor from contractor personnel.\n         B. We reviewed the random stratified sample of 30 contract files to determine whether\n            the contract actions were identified in the planning, solicitation, and award phases as\n            requiring security provisions and clauses. Although our sample of 30 was randomly\n            selected out of a total of 348 contracts within the various strata we identified, we did\n            not project the results of our analysis to the entire population of contracts awarded\n            during our audit period because the sample size was not large enough. Of these 30,\n            one contract was included in our sample twice, reducing the sample we reviewed to\n            29 contracts. In addition, we determined that five contracts did not require any type\n            of access to IRS facilities, systems, or SBU information and therefore did not require\n            security provisions or clauses. For the remaining 24 contracts, we determined if all\n            contractor positions requiring background clearances were properly identified. If any\n            contractor positions required a background clearance but were not identified as such,\n            we determined whether any of the personnel associated with those positions had\n            access to IRS facilities or systems.\n         C. Evaluated five known contract actions (judgmental sample)1 previously identified as\n            having contractor personnel who gained access to IRS SBU information or facilities.\n            Prior investigations and an audit identified these contracts as illustrative of potential\n            control weaknesses.2 We evaluated these contract actions and determined what\n            potential weaknesses (in the policies and procedures for identifying contract actions\n            (solicitations or contracts) or contractor positions/contractor personnel) resulted in the\n            access to SBU information or facilities by contractor personnel without background\n            clearances. For one of these contracts, we determined that contractor personnel were\n            not required to undergo background investigations and did not have access to SBU\n            information or unescorted access to IRS facilities.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined that the\nfollowing internal controls were relevant to our audit objective: IRS policies and procedures for\nbackground investigations for contractor personnel. We evaluated these controls by interviewing\nmanagement, reviewing documentation, reviewing a random stratified sample of 29 contracts\n\n\n\n1\n A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n2\n TIGTA, Ref. No. 2011-10-098, The Internal Revenue Service Adequately Prepared for and Responded to the\nAustin Incident (Sept. 2011),\n                                                                                                            Page 16\n\x0c                              Some Contractor Personnel Without\n                             Background Investigations Had Access\n                        to Taxpayer Data and Other Sensitive Information\n\n\n\nrepresenting a range of services acquired by the IRS, and reviewing a judgmental sample of five\ncontracts identified previously as having security concerns related to contractor personnel.\n\n\n\n\n                                                                                        Page 17\n\x0c                             Some Contractor Personnel Without\n                            Background Investigations Had Access\n                       to Taxpayer Data and Other Sensitive Information\n\n\n\n                                                                            Appendix II\n\n                Major Contributors to This Report\n\nGregory D. Kutz, Assistant Inspector General for Audit (Management Services and Exempt\nOrganizations)\nAlicia P. Mrozowski, Director\nHeather M. Hill, Audit Manager\nEvan Close, Lead Audit Evaluator\nGary Pressley, Senior Auditor\nTrisa Brewer, Auditor\n\n\n\n\n                                                                                   Page 18\n\x0c                            Some Contractor Personnel Without\n                           Background Investigations Had Access\n                      to Taxpayer Data and Other Sensitive Information\n\n\n\n                                                                          Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nChief, Agency-Wide Shared Services OS:A\nChief Counsel CC\nIRS Human Capital Officer OS:HC\nDeputy Chief Counsel (Operations) CC\nDirector, Employment, Talent, and Security, IRS Human Capital Officer OS:HC:ETS\nDirector, Physical Security and Emergency Preparedness, Agency-Wide Shared Services OS:A:P\nDirector, Procurement, Agency-Wide Shared Services OS:A:P\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Deputy Commissioner for Operations Support OS\n       Deputy Commissioner for Services and Enforcement SE\n       Chief, Agency-Wide Shared Services OS:A\n       Chief Counsel CC\n       IRS Human Capital Officer OS:HC\n\n\n\n\n                                                                                  Page 19\n\x0c                              Some Contractor Personnel Without\n                             Background Investigations Had Access\n                        to Taxpayer Data and Other Sensitive Information\n\n\n\n                                                                                 Appendix IV\n\n                                Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Taxpayer Privacy and Security \xe2\x80\x93 Potential; 1.4 million taxpayer accounts affected\n    (see page 6).\n\nMethodology Used to Measure the Reported Benefit:\nWe reviewed 28 contract files to determine the effectiveness of the IRS controls to identify\ncontract actions that require security provisions to safeguard against unauthorized contractor\naccess to sensitive information during the course of contract performance and the identification\nof related contractor positions requiring background investigations. We determined that for\nfive contracts, taxpayer and other sensitive information may be at risk as a result of a lack of\nbackground investigation requirements. Specifically, these contracts were for courier services,\nprinting services, sign language interpreters, and document recovery services. For four of the\ncontracts, we could not quantify how many taxpayer accounts may have been affected.\nHowever, for one contract for printing services, we determined that contractor personnel were\nprovided access to information about 1.4 million taxpayer accounts without first undergoing\nappropriate background investigations or other preliminary suitability screenings.\n\n\n\n\n                                                                                          Page 20\n\x0c              Some Contractor Personnel Without\n             Background Investigations Had Access\n        to Taxpayer Data and Other Sensitive Information\n\n\n\n                                                   Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 21\n\x0c      Some Contractor Personnel Without\n     Background Investigations Had Access\nto Taxpayer Data and Other Sensitive Information\n\n\n\n\n                                                   Page 22\n\x0c      Some Contractor Personnel Without\n     Background Investigations Had Access\nto Taxpayer Data and Other Sensitive Information\n\n\n\n\n                                                   Page 23\n\x0c      Some Contractor Personnel Without\n     Background Investigations Had Access\nto Taxpayer Data and Other Sensitive Information\n\n\n\n\n                                                   Page 24\n\x0c      Some Contractor Personnel Without\n     Background Investigations Had Access\nto Taxpayer Data and Other Sensitive Information\n\n\n\n\n                                                   Page 25\n\x0c      Some Contractor Personnel Without\n     Background Investigations Had Access\nto Taxpayer Data and Other Sensitive Information\n\n\n\n\n                                                   Page 26\n\x0c'